DPDP Act: Lawful Processing: Consent, Legitimate Uses and Employment-Related Processing

This topic breaks down the legal requirements of valid consent into easy-to-understand elements. It covers that consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action. The topic explains that a privacy notice issued at or before the time of collecting personal data must clearly...

This topic breaks down the legal requirements of valid consent into easy-to-understand elements. It covers that consent must be free, specific, informed, unconditional and unambiguous, given through a clear affirmative action. The topic explains that a privacy notice issued at or before the time of collecting personal data must clearly state what data will be collected, for what purposes, how it will be used, the rights of the Data Principal and the method for withdrawing consent or making complaints. Everyday examples are used to show compliant and non-compliant practices: pre-ticked boxes, bundled consent for unrelated purposes, hidden terms or confusing language are contrasted with clear, purpose-linked notices and simple yes/no choices. The topic also explains that consent must be as easy to withdraw as it was to give, and that organisations must maintain logs of consents and withdrawals. Employees learn to identify problematic consent practices and raise them with the appropriate teams.

Show more

This topic applies the theory of consent and legitimate uses to concrete employment scenarios. It considers activities such as maintaining core HR files, processing payroll, statutory compliances, background verification, performance appraisal systems, productivity monitoring tools, CCTV surveillance, wellness programmes and optional benefits. For each scenario, the topic discusses whether consent...

This topic applies the theory of consent and legitimate uses to concrete employment scenarios. It considers activities such as maintaining core HR files, processing payroll, statutory compliances, background verification, performance appraisal systems, productivity monitoring tools, CCTV surveillance, wellness programmes and optional benefits. For each scenario, the topic discusses whether consent is likely not required due to legitimate use or legal obligation, or whether fresh, specific consent is advisable because the activity goes beyond what is strictly necessary for employment. It explains grey areas such as extended employee monitoring, secondary uses of HR data for analytics and sharing employee details with external partners for marketing or employer branding. Learners practice classifying scenarios and are guided to seek expert advice where the legal basis is unclear, reinforcing a cautious, risk-aware mindset.

Show more

This topic translates legal consent requirements into practical design principles for notices and consent flows across HR portals, customer sign-up pages, mobile apps and internal tools. It explains how to identify moments where personal data is first collected and how to ensure that a clear notice is displayed at or...

This topic translates legal consent requirements into practical design principles for notices and consent flows across HR portals, customer sign-up pages, mobile apps and internal tools. It explains how to identify moments where personal data is first collected and how to ensure that a clear notice is displayed at or before that time. The topic emphasises using plain language, avoiding unnecessary legalese, and presenting consent choices in a way that is not misleading or coercive. It covers multi-language support, accessibility considerations and the importance of aligning notice content with actual back-end processing activities. Examples of good and bad consent screens, employee policy acknowledgements and email opt-in flows are discussed. Learners are not expected to become designers, but they learn to spot confusing or incomplete notices and escalate improvements through the right internal channels.

Show more

This topic introduces the concept of legitimate uses as situations where the DPDP Act permits processing of personal data without the Data Principal’s explicit consent. It focuses on employment-related legitimate uses, such as processing necessary for recruitment, payroll, benefits administration, performance management, prevention of corporate espionage, protection of trade secrets,...

This topic introduces the concept of legitimate uses as situations where the DPDP Act permits processing of personal data without the Data Principal’s explicit consent. It focuses on employment-related legitimate uses, such as processing necessary for recruitment, payroll, benefits administration, performance management, prevention of corporate espionage, protection of trade secrets, compliance with law and safeguarding the employer from loss or liability. The topic explains that even where consent is not required, organisations must still respect other obligations like data minimisation, security safeguards and grievance redressal. Realistic HR and operations examples are used to illustrate where reliance on legitimate use is reasonable and where it may be stretched beyond its intended scope. Learners are encouraged to alert HR or Legal when a processing activity seems unrelated to genuine employment needs or lawful purposes and may therefore require separate consent.

Show more

This topic explains that under the DPDP Act, Data Principals have the right to withdraw consent and that organisations must stop processing for that purpose within a reasonable time, unless another legal basis applies. It discusses the operational impact of consent withdrawal on marketing lists, optional programmes, app features and...

This topic explains that under the DPDP Act, Data Principals have the right to withdraw consent and that organisations must stop processing for that purpose within a reasonable time, unless another legal basis applies. It discusses the operational impact of consent withdrawal on marketing lists, optional programmes, app features and data already shared with certain vendors. The topic also covers the requirement to seek fresh consent if the organisation wishes to use data for a new purpose that is not compatible with the original one. Practical guidance is given on how employees should log and escalate consent withdrawals received by email, call or in person, and how to avoid continuing to use or share data in breach of the updated consent status. The topic reinforces that respecting withdrawals is as important as obtaining consent in the first place and is a key part of building trust with Data Principals.

Show more